I'm trying to figure out the steps performed by Gitlab, a Ruby on Rails application, to arrive at the authentication token they use.
My knowledge of ruby is basic, and I don't know Ruby on Rails. From what I have figured out, starting with their user.rb model, Gitlab uses a module called Devise to generate the authentication token. Looking at the Devise token_generator.rb module, it seems that the default is a PBKDF2 SHA1 hash with a SHA256 digest, but I also don't know how the configuration file is processed.
The KeyGenerator class is self contained and I am able to duplicate it in another language. But the TokenGenerator class is going to take me a while to figure out without learning some Ruby on Rails:
class TokenGenerator
def initialize(key_generator, digest="SHA256")
@key_generator = key_generator
@digest = digest
end
def digest(klass, column, value)
value.present? && OpenSSL::HMAC.hexdigest(@digest, key_for(column), value.to_s)
end
def generate(klass, column)
key = key_for(column)
loop do
raw = Devise.friendly_token
enc = OpenSSL::HMAC.hexdigest(@digest, key, raw)
break [raw, enc] unless klass.to_adapter.find_first({ column => enc })
end
end
private
def key_for(column)
@key_generator.generate_key("Devise #{column}")
end
end
I realize I'm being lazy and impatient, but I was hoping somebody familiar with Gitlab and Ruby on Rails could help me find out:
- Where in this rails app does
TokenGenerator.generateget called for the user creation, and what are the defaultklassandcolumnvalues being passed to it? - Where is
"Devise #{column}"read from, and what is its default value?
In other words, I would like to know what parameters supplied by the users end up as factors to this authentication token. The plain text password? The encrypted password? Just a random value?
